matrix-docker-ansible-deploy icon indicating copy to clipboard operation
matrix-docker-ansible-deploy copied to clipboard

Published 20 hours ago verified publisher icon spantaleev

Jitsi Matrix Auth failing

Open WaaromZoMoeilijk opened this issue 9 months ago • 2 comments

Jitsi Integration with Matrix/Element Failing with Authentication Errors

I'd like to start by thanking the devs (and everyone contributing) for creating and sharing such a great ansible tool for Matrix (and MASH of course)!

I am using this repo to install Matrix, Element, and Jitsi. My goal is to have Jitsi authenticate with Matrix using auth method Matrix and use OpenID auth provided by Keycloak on Matrix. However, I am encountering issues where Jitsi fails to authenticate users, leading to errors both when using the native video button in Element and when adding a Jitsi widget via Dimension. Here are the detailed steps, configurations, logs, and troubleshooting steps taken.

I was hoping someone could point me in the right direction to solve this.

Steps to Reproduce

  1. Installation and Configuration:

    • Followed the prerequisits and installation steps as described in the docs
    • Modified vars.yml as needed.
    • Ran the following commands: 
      ansible-playbook -i inventory/hosts setup.yml --tags=install-all,ensure-matrix-users-created,start
      After the first run, created an admin user with just register-user admin password yes, obtained an access token for the admin user and used that for the access_token variable in vars.yml. Then enabled UVS and Dimension and let them use the access token in vars.yml: 
      matrix_user_verification_service_enabled: true
matrix_user_verification_service_uvs_access_token: "{{ access_token }}"
matrix_user_verification_service_container_http_host_bind_port: 3000
matrix_user_verification_service_uvs_require_auth: true
matrix_dimension_enabled: true
matrix_dimension_admins:
  - "@test:{{ matrix_domain }}"
  - "@admin:{{ matrix_domain }}"
matrix_dimension_access_token: "{{ access_token }}"
      Then ran: 
      ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start

  2. Jitsi Configuration:

    • Verified that Jitsi works when jitsi_enable_auth is set to false through both the native video button in Element and the Jitsi widget via Dimension. Afterward when set to true the problems begin.

  3. Authentication and Integration:

    • Configured Keycloak to work with Matrix, ensuring login works as expected for Matrix users.
    • Verified that the Jitsi domain connects correctly by checking the browser console to ensure it connects to jitsi.domain and not to meet.element.io or meet.jit.si. For both video icon and widget initiation of a jitsi meet.
    • SSL certificates are valid for all subdomains.
    • Verified that JWT is passed to Jitsi on loading by checking the browser console and network activity when joining a Jitsi conference. The loading URL should look like: https://jitsi.example.com/{{Your conference id}}?jwt={{the jwt authentication token}}.

  4. Attempt to Start a Jitsi Call:

    • Attempted to start a Jitsi call in Element either using the video button in a room with three people or by adding a Jitsi widget as a room moderator.

Expected Behavior

Jitsi should authenticate with Matrix, allowing users to start and join video calls seamlessly and promote a user to moderator if applicable.

Actual Behavior

image

  1. Using the Native Video Button in Element:

    • Error displayed: "Sorry, you're not allowed to join this call. Possible reasons: Invalid nbf value. Invalid exp value." image

  2. Using the Jitsi Widget via Dimension:

    • A login prompt inside the Jitsi widget appears, but no credentials are accepted, tried the Matrix native admin user created earlier and the test users from my keycloak server.

Logs and Configuration

(Redacted my actual domain with either *.domain or *.example.com)

Logs for matrix-jitsi-jvb.service

May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.922 INFO: [16] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Using org.ice4j.ice.harvest.StaticMappingCandidateHarvester(face=172.25.0.4:9/udp, mask=127.0.0.1:9/udp)
May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.922 INFO: [16] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Using org.ice4j.ice.harvest.StunMappingCandidateHarvester@1992e816
May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.922 INFO: [16] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Using org.ice4j.ice.harvest.StunMappingCandidateHarvester@133010be
May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.923 INFO: [16] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Initialized mapping harvesters (delay=780ms).  stunDiscoveryFailed=false
May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.995 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.Health registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.Health will be ignored.
May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.995 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.Version registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.Version will be ignored.
May 24 06:11:35 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:35.996 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.prometheus.Prometheus registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.prometheus.Prometheus will be ignored.
May 24 06:11:36 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:36.161 INFO: [1] org.eclipse.jetty.server.handler.ContextHandler.doStart: Started o.e.j.s.ServletContextHandler@322e49ee{/,null,AVAILABLE}
May 24 06:11:36 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:36.162 INFO: [1] org.eclipse.jetty.server.AbstractConnector.doStart: Started ServerConnector@3402b4c9{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
May 24 06:11:36 test matrix-jitsi-jvb[1315267]: JVB 2024-05-24 06:11:36.162 INFO: [1] org.eclipse.jetty.server.Server.doStart: Started Server@6ab4ba9f{STARTING}[11.0.20,sto=0] @1509ms

Logs for matrix-jitsi-jicofo.service

May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.676 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.Version registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.Version will be ignored.
May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.676 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.rest.prometheus.Prometheus registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.rest.prometheus.Prometheus will be ignored.
May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.677 WARNING: [1] org.glassfish.jersey.internal.inject.Providers.checkProviderRuntime: A provider org.jitsi.jicofo.rest.ConferenceRequest registered in SERVER runtime does not implement any provider interfaces applicable in the SERVER runtime. Due to constraint configuration problems the provider org.jitsi.jicofo.rest.ConferenceRequest will be ignored.
May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.810 INFO: [1] org.eclipse.jetty.server.handler.ContextHandler.doStart: Started o.e.j.s.ServletContextHandler@7f13811b{/,null,AVAILABLE}
May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.817 INFO: [1] org.eclipse.jetty.server.AbstractConnector.doStart: Started ServerConnector@3cae7b8b{HTTP/1.1, (http/1.1)}{0.0.0.0:8888}
May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.821 INFO: [1] org.eclipse.jetty.server.Server.doStart: Started Server@70211e49{STARTING}[11.0.20,sto=0] @1321ms
May 24 06:11:34 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:34.821 INFO: [1] JicofoServices.<init>#169: Registering GlobalMetrics periodic updates.
May 24 06:11:35 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:35.845 INFO: [40] [type=bridge brewery=jvbbrewery] BaseBrewery.addInstance#347: Added brewery instance: [email protected]/aa9993b0c4e2
May 24 06:11:35 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:35.850 INFO: [40] BridgeSelector.addJvbAddress#96: Added new videobridge: Bridge[[email protected]/aa9993b0c4e2, version=2.3.105-ge155b81e, relayId=null, region=null, stress=0.00]
May 24 06:11:35 test matrix-jitsi-jicofo[1314901]: Jicofo 2024-05-24 06:11:35.855 INFO: [43] JvbDoctor.bridgeAdded#128: Scheduled health-check task for: Bridge[[email protected]/aa9993b0c4e2, version=2.3.105-ge155b81e, relayId=null, region=null, stress=0.00]

Logs for matrix-jitsi-web.service

May 24 07:15:25 test matrix-jitsi-web[1315798]: 172.22.0.2 - - [24/May/2024:07:15:25 +0000] "GET /sounds/reactions-laughter.mp3 HTTP/1.1" 206 10341 "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1

ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:15:25 test matrix-jitsi-web[1315798]: 172.22.0.2 - - [24/May/2024:07:15:25 +0000] "GET /sounds/reactions-applause.mp3 HTTP/1.1" 206 9874 "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:15:25 test matrix-jitsi-web[1315798]: 172.22.0.2 - - [24/May/2024:07:15:25 +0000] "GET /sounds/reactions-thumbs-up.mp3 HTTP/1.1" 206 10212 "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:15:26 test matrix-jitsi-web[1315798]: 172.22.0.2 - - [24/May/2024:07:15:26 +0000] "GET /sounds/reactions-crickets.mp3 HTTP/1.1" 206 14163 "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:15:33 test matrix-jitsi-web[1315798]: 2024/05/24 07:15:33 [error] 286#286: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.0.2, server: _, request: "POST /http-bind?room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX

25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1", upstream: "http://172.25.0.5:5280/http-bind?prefix=&room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU", host: "jitsi.msg1.example.com", referrer: "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1", upstream: "http://172.25.0.5:5280/http-bind?prefix=&room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU", host: "jitsi.msg1.example.com", referrer: "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:15:34 test matrix-jitsi-web[1315798]: 172.22.0.2 - - [24/May/2024:07:15:34 +0000] "POST /http-bind?room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1" 200 585 "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJ

hbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:15:33 test matrix-jitsi-web[1315798]: 2024/05/24 07:15:33 [error] 286#286: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.0.2, server: _, request: "POST /http-bind?room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1", upstream: "http://172.25.0.5:5280/http-bind?prefix=&room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU", host: "jitsi.msg1.example.com", referrer: "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1", upstream: "http://172.25.0.5:5280/http-bind?prefix=&room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU", host: "jitsi.msg1.example.com", referrer: "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6

eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""
May 24 07:16:04 test matrix-jitsi-web[1315798]: 2024/05/24 07:16:04 [error] 286#286: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 172.22.0.2, server: _, request: "POST /http-bind?room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1", upstream: "http://172.25.0.5:5280/http-bind?prefix=&room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU", host: "jitsi.msg1.example.com", referrer: "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1", upstream: "http://172.25.0.5:5280/http-bind?prefix=&room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU", host: "jitsi.msg1.example.com", referrer: "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/

125.0.0.0 Safari/537.36"
May 24 07:16:04 test matrix-jitsi-web[1315798]: 172.22.0.2 - - [24/May/2024:07:16:04 +0000] "POST /http-bind?room=ef2xm33cjjkeevkmjbeeov2joffwgrr2nvzwomjomrsw23zoo4wxg33mov2gs33oomxgizlw&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIiwic2VydmVyX25hbWUiOiJtc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU HTTP/1.1" 200 265 "https://jitsi.msg1.example.com/EF2XM33CJJKEEVKMJBEEOV2JOFFWGRR2NVZWOMJOMRSW23ZOO4WXG33MOV2GS33OOMXGIZLW?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqaXRzaS5tc2cxLmV4YW1wbGUuY29tIiwic3ViIjoiaml0c2kubXNnMS5leGFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vaml0c2kubXNnMS5leGFtcGxlLmNvbSIsInJvb20iOiIqIiwiY29udGV4dCI6eyJtYXRyaXgiOnsidG9rZW4iOiJ0a0NuVW1td09NbVRjUWpZeUhBZHBCZHAiLCJyb29tX2lkIjoiIXV2b2JKVEJVTEhIR1dJcUtjRjptc2cxLmV4YW1wbGUuY29tIn0sInVzZXIiOnsiYXZhdGFyIjoiIiwibmFtZSI6InRlc3QifX19.gdQ2Vdpuq67Ebe0A0Yp4ne8TO1MzNy0PJD9zVuA9yEU&lang=enGB" ""

Logs for matrix-jitsi-prosody.service

May 24 04:58:19 test matrix-jitsi-prosody[1214097]: 2024-05-24 04:58:19 mod_bosh info New BOSH session, assigned it sid 'c5144032-ea6d-4c91-8992-ab63ad966e32'
May 24 04:58:19 test matrix-jitsi-prosody[1214097]: 2024-05-24 04:58:19 msg1.matrix.domain:auth_matrix_user_verification info Found room ID: !uvobJTBULHHGWIqKcF:msg1.matrix.domain, server_name: msg1.matrix.domain
May 24 04:58:19 test matrix-jitsi-prosody[1214097]: 2024-05-24 04:58:19 msg1.matrix.domain:auth_matrix_user_verification info REQUEST_COMPLETE reason:not_in_room
May 24 04:58:19 test matrix-jitsi-prosody[1214097]: 2024-05-24 04:58:19 msg1.matrix.domain:auth_matrix_user_verification warn Error verifying membership err:access-denied, reason:Token invalid or not in room
May 24 05:01:26 test matrix-jitsi-prosody[1214097]: 2024-05-24 05:01:26 mod_bosh info New BOSH session, assigned it sid '9b33c3cb-09c5-49ea-a3f3-fc88d5aa52dd'
May 24 05:01:26 test matrix-jitsi-prosody[1214097]: 2024-05-24 05:01:26 msg1.matrix.domain:auth_matrix_user_verification info Found room ID: !uvobJTBULHHGWIqKcF:msg1.matrix.domain, server_name: msg1.matrix.domain
May 24 05:01:26 test matrix-jitsi-prosody[1214097]: 2024-05-24 05:01:26 msg1.matrix.domain:auth_matrix_user_verification info REQUEST_COMPLETE reason:not_in_room
May 24 05:01:26 test matrix-jitsi-prosody[1214097]: 2024-05-24 05:01:26 msg1.matrix.domain:auth_matrix_user_verification warn Error verifying membership err:access-denied, reason:Token invalid or not in room
May 24 05:03:06 test matrix-jitsi-prosody[1214097]: 2024-05-24 05:03:06 mod_bosh info Client tried to use sid 'c5144032-ea6d-4c91-8992-ab63ad966e32' which we don't know about
May 24 05:03:06 test matrix-jitsi-prosody[1214097]: 2024-05-24 05:03:06 mod_bosh info Client tried to use sid '9b33c3cb-09c5-49ea-a3f3-fc88d5aa52dd' which we don't know about

Logs for matrix-user-verification-service.service

May 24 07:15:33 test matrix-user-verification-service[1313620]:   level: 'info',
May 24 07:15:33 test matrix-user-verification-service[1313620]:   message: 'POST /verify/user_in_room: {"room_id":"!uvobJTBULHHGWIqKcF:msg1.example.com","token":"<redacted>","matrix_server_name":"msg1.example.com"}',
May 24 07:15:33 test matrix-user-verification-service[1313620]:   timestamp: '2024-05-24T07:15:33.759Z'
May 24 07:15:33 test matrix-user-verification-service[1313620]: }
May 24 07:15:34 test matrix-user-verification-service[1313620]: {
May 24 07:15:34 test matrix-user-verification-service[1313620]:   requestId: '86fb437a-8554-4db5-861e-6c817fea9aa4',
May 24 07:15:34 test matrix-user-verification-service[1313620]:   level: 'info',
May 24 07:15:34 test matrix-user-verification-service[1313620]:   message: 'User verified but room membership check failed.',
May 24 07:15:34 test matrix-user-verification-service[1313620]:   timestamp: '2024-05-24T07:15:34.104Z'
May 24 07:15:34 test matrix-user-verification-service[1313620]: }

Vars.yml Configuration:

# Misc
public_ip: "REDACTED"
access_token: "REDACTED"
acme_email: '[email protected]'
traefik_log_lvl: 'DEBUG'
ssl_staging: false

# Matrix
matrix_domain: "example.com"
matrix_homeserver_implementation: synapse
matrix_homeserver_generic_secret_key: "REDACTED"

matrix_synapse_admin_enabled: true

matrix_client_element_enabled: true

matrix_synapse_ext_synapse_auto_accept_invite_enabled: true
matrix_synapse_ext_synapse_auto_accept_invite_accept_invites_only_direct_messages: false

jitsi_enabled: true
jitsi_enable_auth: true
jitsi_auth_type: matrix

matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "jitsi.{{ matrix_domain }}"
matrix_client_element_jitsi_preferred_domain: "jitsi.{{ matrix_domain }}"

jitsi_xmpp_server: "{{ matrix_domain }}"
jitsi_hostname: "jitsi.{{ matrix_domain }}"
server_fqn_jitsi: "jitsi.{{ matrix_domain }}"

matrix_user_verification_service_enabled: true
matrix_user_verification_service_uvs_access_token: "{{ access_token }}"
matrix_user_verification_service_container_http_host_bind_port: 3000
matrix_user_verification_service_uvs_require_auth: true

matrix_synapse_oidc_enabled: true
matrix_synapse_oidc_providers:
  - idp_id: keycloak
    idp_name: "Keycloak-dev"
    issuer: "https://REDACTED/realms/Matrix"
    client_id: "matrix-client"
    client_secret: "REDACTED"
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
        localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
        display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
        email_template: "{% raw %}{{ user.email }}{% endraw %}"
    allow_existing_users: true
    backchannel_logout_enabled: true

matrix_dimension_enabled: true
matrix_dimension_admins:
  - "@test:{{ matrix_domain }}"
  - "@admin:{{ matrix_domain }}"
matrix_dimension_access_token: "{{ access_token }}"

requirements.yml versions:

---
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-3
  name: auxiliary
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
  version: v1.2.8-1.8.9-0
  name: backup_borg
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
 version: v0.1.2-1
  name: container_socket_proxy
- src: git+https://github.com/geerlingguy/ansible-role-docker
  version: 7.1.0
  name: docker
- src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
  version: 129c8590e106b83e6f4c259649a613c6279e937a
  name: docker_sdk_for_python
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
  version: v2.0.3-0
  name: etherpad
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
  version: v4.97.1-r0-0-2
  name: exim_relay
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
  version: v11.0.0-0
  name: grafana
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
  version: v9457-3
  name: jitsi
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keydb.git
  version: v6.3.4-1
  name: keydb
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
  version: v2.10.0-0
  name: ntfy
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: 201c939eed363de269a83ba29784fc3244846048
  name: playbook_help
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
  version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
  name: playbook_runtime_messages
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
  name: playbook_state_preserver
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
  version: v16.3-0
  name: postgres
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
  version: 046004a8cb9946979b72ce81c2526c8033ea8067
  name: postgres_backup
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v2.52.0-0
  name: prometheus
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
  version: v1.8.1-0
  name: prometheus_node_exporter
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
  version: v0.14.0-4
  name: prometheus_postgres_exporter
- src: git+https://gitlab.com/etke.cc/roles/redis.git
  version: v7.2.4-0
  name: redis
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.1.0-0
  name: systemd_docker_base
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
  version: v1.0.0-4
  name: systemd_service_manager
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
  name: timesync
- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: v2.11.2-0
  name: traefik
- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.3-1
  name: traefik_certs_dumper

Troubleshooting Steps Taken

  1. Manual User Registration in Prosody:

    docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register testuser meet.jitsi testpass

    Result: The given hostname does not exist in the config

  2. Connecting to the Matrix User Verification Service:

    docker exec matrix-jitsi-prosody wget http://matrix-user-verification-service:3000

    Result: 404 Not Found

  3. UVS

    When exposing the port on 3000 via:

    matrix_user_verification_service_container_http_host_bind_port: 3000

    I execute this with a valid access token:

    notroot@test:/opt/matrix# curl -k -X POST http://localhost:3000/verify/user -H "Authorization: Bearer syt_token" -H "Content-Type: application/json" -d '{"matrix_server_name": "matrix.msg1.example.com","token": "syt_YXXXXXXXXX" }'

    It returns:

    {}

    This also has the same result when I execute it within the prosody container after docker exec -it matrix-jitsi-prosody bash and then install curl and execute:

    curl -k -X POST http://matrix-user-verification-service:3000/verify/user -H "Authorization: Bearer syt_token" -H "Content-Type: application/json" -d '{"matrix_server_name": "matrix.msg1.example.com","token": "syt_YXXXXXXXXX" }'

  4. Disabling Jitsi Authentication:

    • When jitsi_enable_auth: false, Jitsi works without issues through both the native video button in Element and the Jitsi widget via Dimension.
    • image

  5. Keycloak Authentication:

    • Authentication via Keycloak for Matrix works as expected for all users.

Environment Information

  • OS: Ubuntu 22.04
  • Docker Version: 26.1.3
  • Matrix Version: latest from matrix-docker-ansible-deploy
  • Element Version: latest from matrix-docker-ansible-deploy
  • Jitsi Version: latest from matrix-docker-ansible-deploy

References

Additional Context

Jitsi config Changes are done by first editing the vars.yml and then executing just run-tags stop-group --extra-vars=group=jitsi; rm -rf /matrix/jitsi; just install-service jitsi on top of that during testing I'll execute /matrix/bin/remove-all about 1-4 times throughout the day (not trying to hit the letsencrypt limit) and then reuse vars.yml which I keep under version control.

DNS and Ports My DNS records and ports are also configured. I use this WIP to check the prerequisites pre deployment.

---
- name: Check Matrix Docker Ansible Deploy Prerequisites
  hosts: matrix
  become: true
  vars:
    public_IP: "{{ lookup('dig', 'myip.opendns.com', '@resolver1.opendns.com') }}"
    root_domain: 'example.com'
    main_domain: "msg1.{{ root_domain }}"

    # DNS and ports checks
    ports:
      tcp:
        - 25
        - 587
        - 80
        - 443
        - 4443
        - 8448
        - 8008
        - 3478
        - 5349
      udp:
        - 10000
        - 3478
        - 5349
        - 49152-49172

    dns_records:
      wildcard_a:
        host: "*.msg1.{{ root_domain }}"
        expected: "{{ public_IP }}"
      a:
        host: "msg1.{{ root_domain }}"
        expected: "{{ public_IP }}"
      mx:
        host: "msg.msg1.{{ root_domain }}"
        priority: 10
        expected: "msg.msg1.{{ root_domain }}"
      txt_spf:
        host: "msg.msg1.{{ root_domain }}"
        content: "v=spf1 ip4:{{ public_IP }} -all"
      txt_dmarc:
        host: "_dmarc.msg.msg1.{{ root_domain }}"
        content: "v=DMARC1; p=quarantine;"
      txt_domainkey:
        host: "postmoogle.domainkey.msg.msg1.{{ root_domain }}"
        content: "To Be Determined"
  tasks:
    - name: Ensure nmap is installed
      ansible.builtin.apt:
        name: nmap
        state: present

    - name: Check if TCP ports are open and reachable
      ansible.builtin.wait_for:
        host: "{{ public_IP }}"
        port: "{{ item }}"
        state: started
        timeout: 5
      with_items: "{{ ports.tcp }}"

    - name: Check if UDP ports are open and reachable
      ansible.builtin.command: "nmap -sU -p {{ item }} {{ public_IP }}"
      register: udp_port_check
      changed_when: false
      with_items: "{{ ports.udp }}"
      when: item != '49152-49172'

    - name: Ensure UDP ports are reachable
      ansible.builtin.fail:
        msg: "UDP port {{ item.item }} is not reachable. Output: {{ item.stdout }}"
      when: "item.stdout is defined and ('open' not in item.stdout and 'open|filtered' not in item.stdout)"
      with_items: "{{ udp_port_check.results }}"

    - name: Check if UDP port range 49152-49172 is open and reachable
      ansible.builtin.command: "nmap -sU -p {{ item }} {{ public_IP }}"
      register: port_range_check
      changed_when: false
      with_sequence: start=49152 end=49172

    - name: Ensure UDP port range 49152-49172 is reachable
      ansible.builtin.fail:
        msg: "UDP port {{ item.item }} is not reachable. Output: {{ item.stdout }}"
      when: "item.stdout is defined and ('open' not in item.stdout and 'open|filtered' not in item.stdout)"
      with_items: "{{ port_range_check.results }}"

    - name: Check DNS wildcard A record
      ansible.builtin.command: "dig +short {{ item.host }}"
      register: dns_result
      with_items:
        - "{{ dns_records.wildcard_a }}" 
      failed_when: dns_result.stdout != item.expected

    - name: Check DNS A record
      ansible.builtin.command: "dig +short {{ item.host }}"
      register: dns_result
      with_items:
        - "{{ dns_records.a }}"
      failed_when: dns_result.stdout != item.expected

# - name: Check DNS MX record
#   ansible.builtin.command: "dig +short MX {{ item.host }}"
#   register: dns_result
#   with_items:
#     - "{{ dns_records.mx }}"
#   failed_when: dns_result.stdout_lines | select("search", item.priority|string + ' ' + item.expected) | list | length == 0

# - name: Check DNS TXT records
#   ansible.builtin.command: "dig +short TXT {{ item.host }}"
#   register: dns_result
#   with_items:
#     - "{{ dns_records.txt_spf }}"
#     - "{{ dns_records.txt_dmarc }}"
#     - "{{ dns_records.txt_domainkey }}"
#   failed_when: dns_result.stdout | regex_search(item.content) is none

WaaromZoMoeilijk avatar May 24 '24 08:05 WaaromZoMoeilijk